Relay-Version: version B 2.10 5/3/83; site utzoo.UUCP Path: utzoo!watmath!clyde!cbatt!ihnp4!houxm!ho95e!wcs From: wcs@ho95e.UUCP (#Bill.Stewart) Newsgroups: net.unix-wizards Subject: Re: Which commands (in /bin & /usr/bin) must have set user ID (for root) Message-ID: <1040@ho95e.UUCP> Date: Fri, 17-Oct-86 22:37:39 EDT Article-I.D.: ho95e.1040 Posted: Fri Oct 17 22:37:39 1986 Date-Received: Tue, 21-Oct-86 23:24:01 EDT References: <115@tijc02.UUCP> <735@hropus.UUCP> Reply-To: wcs@ho95e.UUCP (Bill Stewart 1-201-949-0705 ihnp4!ho95c!wcs HO 2G202) Organization: AT&T Bell Labs, Holmdel NJ Lines: 28 In article <735@hropus.UUCP> jrw@hropus.UUCP (Jim Webb) writes: >>[Somebody else wrote..] >> I currently have VAX 11/785s running AT&T UNIX V Release 2 Version 2.0. >> I am wondering which commands in /bin /and /usr/bin (owned by root, group is >> sys) must have the set user ID, or set group ID on execution in order >> to work correctly. What surprised me about the list Jim replied with was that most of the commands were -rws......! Why should a setuid command *ever* be writeable? - it's just *inviting* attempts to find a bug and convince the command to write over itself. Are there any commands that actually depend on this? >-rwsr-xr-x 1 root sys 47197 Oct 20 1985 at >-rwsr-xr-x 1 root sys 25093 Nov 5 1983 crontab >at needs to talk to cron in a very specific manner. I would expect you could write a good cron without setuid, since /etc/cron runs as root? Likewise "at", since it's the other side of cron? What irks me more, though, is that the "lp" commands all run setuid-lp setgid-bin; this means that in a directory which lp can't access ( e.g. 700), lp foo fails, though lp